The General Data Protection Regulation (GDPR) is the most significant overhaul of European Union (EU) data protection legislation in over 20 years. Amongst other things, it is intended to provide better protection to individuals and to give greater certainty to organizations in navigating data protection across EU member states
It includes 99 articles or clauses covering virtually every aspect of business and information management – everything from the consent to collect and process information, to the “right to be deleted”. Importantly for global businesses (including those outside the EU) the GDPR is supra-national, therefore any business that processes the data of EU citizens will fall under its remit, not just European businesses.
For cyber security professionals, the drive for data protection and information management is not new; although the level of detail, the requirements on data breach notification and the fines in GDPR impose a lot more focus.
As the scale of the cyber threat is revealed, organizations should welcome the data security requirements laid down by the GDPR as an opportunity to reduce the risk of data breaches. After all, if an organization’s data is compromised, regulatory fines may be the least of its worries
While the GDPR introduces severe penalties for compliance failures, it will also force organizations to pay more attention to data security in the face of the looming cyber threat.
How to comply with the 5 cyber security clauses of GDPR
For security monitoring and operations in GDPR compliant businesses there is increased focus on both prevention and avoidance of security and privacy breaches. Further, it is imperative to be able to respond quickly when a problem does occur, understand it and take action. The 72 hours allowed to notify the government authority is accompanied by an expectation that affected data subjects will be communicated with promptly. As a minimum, businesses handling personal data will need to:
- Engage DPO to be part of the access and authorization approval processes.
- Use identity governance tools to get access attestation as well as prevent unauthorized access.
- Create a catalogue of roles to identify the personal data contained in each application. Track and timely review each one of these roles.
Shall we talk about your needs? Our team can help you with your cybersecurity projects.
GDPR in Soffid
Soffid IAM (Soffid Identity and Access Management) software suite covers certain parts of the European General Data Protection Regulation (GDPR). This regulation mentions that best practices should be implemented in regard to Information Systems security. Best practices in this topic are covered by ISO 27001. Therefore, this document also presents Soffid’s coverage of the ISO 27001 (Information technology — Security techniques — Information security management systems — Requirements).
Out of a total of 11 Chapters with a total of 99 Articles in the GDPR, Soffid has substantial contribution in 3 Chapter and 16 Articles. Regarding the ISO 27001, Soffid has nearly full coverage of section A.9 Access control. On top of this, Soffid contributes with coverage of control in sections A.6 (Organisation and Information Security), A.7 (Human resources security), A.8 (Asset management), A.11 (Physical and environment security), A.12 (Operations security), A.15 (Supplier relationships) and A.17 (Information security aspects of business continuity management).
Summary of the regulation
On April 14, 2016, the European Parliament approved the General Regulation on Data Protection, with direct application in Member States.
Regulation enforcing date
The new legal framework for data protection will apply as of May 25, 2018.
Impact on processes
This normative change has a clear and important impact for the organizations, since it implies new obligations for the same that will affect not only the traditional fulfillment but also, and in a very important way, to the processes, as well as the way of analyzing the risks of privacy.
Main points of impact of the regulation:
1. The territorial scope is al EU states.
2. Data protection principles are expanded and reinforced: Limitation of purpose, data minimization, accuracy, limitation of preservation, integrity and confidentiality; and proactive responsibility.
3. Recognition of new rights to data subjects: Right to portability of data; right to oblivion; right not to be subject to decisions based solely on automated data processing – profiling; right to claim and appeal to the supervisory authority or to the person in charge.
4. Legal basis on which treatments are developed. Obtaining unequivocal consent. Specify and document legitimate interest.
5. New obligations: Registration of processing activities; Notification of security breaches; Data Protection Officer. Processes for attention to the exercise of rights
6. New paradigm in data protection: responsibility of accountability; privacy from design and default; impact assessments on data protection.
7. Self-regulation and certification: adherence to codes of conduct; establishment of certification mechanisms, seals and trademarks.
8. New sanctioning regime: penalties up to 4% of total annual global turnover.
Soffid, being an integral solution of access control and identity management, provides the following solutions (within the framework of this new regulation):
1. Organization of data by identity, unification and quality of data. Unique location of data, conservation, integrity and confidentiality of data.
2. Obtaining data, portability of data, right to forget and obtaining consents with the integration of Soffid business process manager.
3. Management of all the processes and treatments that are done to the data. Audits and reports of all operations carried out on the data, solving the obligation to have a Register on the treatment activities.
4. Notification and detection of security breaches
5. Certification process managed by Soffid.